An Encryption Upgrade Could Upend Online Payments. AT THE END of June, digital credit card transactions are getting a mandatory encryption upgrade. It’s good news—but not if you have an old device, or depend on a retailer that hasn’t completed the transition.
When data moves from one device to another, it needs to protection so it isn’t intercepted and manipulated along the way. This defense is especially crucial, as you might imagine, for sensitive communications like financial transactions. And with credit card fraud booming, the Payment Card Industry Security Standards Council announced last year that it would phase out an old, buggy encryption scheme used for processing digital credit card transactions, called Transport Layer Security 1.0, in favor of more secure options. The deadline: June 30.
Though there are exceptions for merchants that run their own payment processing servers, organizations that use PCI-compliant commerce platforms—almost everyone—need to upgrade the encryption protocols on their websites and payment terminals if they haven’t already. Running these updates should be pretty easy for a small business that has a couple of credit card readers and a website, but merchants need to know to do it in the first place. Large companies with thousands of payment terminals and a massive web presence face a more significant update challenge. With the deadline just weeks away, some are still scrambling. In the worst-case scenarios, those credit card transactions will simply stop going through.
“This update is a big deal in the e-commerce platform world, because every merchant is using unique integrations and needs to be up to date so transactions don’t fail,” says Jack Cravy, vice president of operations at the software provider AmeriCommerce, which has been working with customers to prepare for the transition. “A lot of these platforms that haven’t updated yet need to get on the ball pretty soon, or they’re going to be in hot water.”
In addition to potential problems on the merchant side, older software and devices may not support the improved encryption protocols, meaning that transactions could fail on the user side as well. Independent of the push to secure credit card transactions, many sites [have transitioned](() to more secure encryption in the past few years; if your device is that old, you’ve likely noticed it by now already. And even if you’re running an ancient or poorly forked version of Android, or a musty iOS, you may be able to get around the problem if your device can run a fairly current browser that supports TLS 1.1 and 1.2.